Processed: Re: Bug#1071920: bookworm-pu: package libseccomp/2.5.4-1+deb12u1

[Debian Bug Tracking System]

Processing control commands:

> tags -1 + confirmed
Bug #1071920 [release.debian.org] bookworm-pu: package 
libseccomp/2.5.4-1+deb12u1
Added tag(s) confirmed.

-- 
1071920: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071920
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#1071920: bookworm-pu: package libseccomp/2.5.4-1+deb12u1

[Adam D. Barratt]

Control: tags -1 + confirmed

On Sat, 2024-05-25 at 23:33 +0200, Felix Geyer wrote:
> libseccomp 2.5.4 only knows about syscall up to Linux 6.4.
> The proposed changes add the syscalls up to Linux 6.7.

Please go ahead.

Regards,

Adam

Bug#1071920: bookworm-pu: package libseccomp/2.5.4-1+deb12u1

[Felix Geyer]

Package: release.debian.org
User: release.debian@packages.debian.org
Usertags: pu
Tags: bookworm
Severity: normal

[ Reason ]
libseccomp 2.5.4 only knows about syscall up to Linux 6.4.
The proposed changes add the syscalls up to Linux 6.7.

[ Impact ]
Syscalls for Linux 6.5 to 6.7 can't be allowed.

Software built with support for newer kernels (often the case in containers)
expect newer syscalls to work or return ENOSYS.
If that syscall is not supported by libseccomp and a default filter action of
returning EPERM is used, such software will break.
Therefore you often need to be able to allow a syscall even when the running
kernel doesn't support it.

[ Tests ]
* autopkgtest passes on amd64
* Verified adding a filter for the fchmodat2() syscall works (new in 6.6)
* Verified that systemd and Docker run

[ Risks ]
The changes only extend the syscall csv table and add new syscall defines.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Cherry-pick upstream commit to support new syscalls.diff -Nru libseccomp-2.5.4/debian/changelog libseccomp-2.5.4/debian/changelog
--- libseccomp-2.5.4/debian/changelog   2022-04-21 22:23:12.0 +0200
+++ libseccomp-2.5.4/debian/changelog   2024-05-25 20:36:52.0 +0200
@@ -1,3 +1,9 @@
+libseccomp (2.5.4-1+deb12u1) bookworm; urgency=medium
+
+  * Add support for syscalls up to Linux 6.7. (Closes: #1071822)
+
+ -- Felix Geyer   Sat, 25 May 2024 20:36:52 +0200
+
 libseccomp (2.5.4-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru libseccomp-2.5.4/debian/patches/series 
libseccomp-2.5.4/debian/patches/series
--- libseccomp-2.5.4/debian/patches/series  1970-01-01 01:00:00.0 
+0100
+++ libseccomp-2.5.4/debian/patches/series  2024-05-25 20:08:25.0 
+0200
@@ -0,0 +1 @@
+update_the_syscall_table_for_Linux_v6.7-rc3.patch
diff -Nru 
libseccomp-2.5.4/debian/patches/update_the_syscall_table_for_Linux_v6.7-rc3.patch
 
libseccomp-2.5.4/debian/patches/update_the_syscall_table_for_Linux_v6.7-rc3.patch
--- 
libseccomp-2.5.4/debian/patches/update_the_syscall_table_for_Linux_v6.7-rc3.patch
   1970-01-01 01:00:00.0 +0100
+++ 
libseccomp-2.5.4/debian/patches/update_the_syscall_table_for_Linux_v6.7-rc3.patch
   2024-05-25 20:06:55.0 +0200
@@ -0,0 +1,129 @@
+From 53267af3fb56eed93a50b8ef92f41825c97a7813 Mon Sep 17 00:00:00 2001
+From: Paul Moore 
+Date: Fri, 5 May 2023 14:03:38 -0400
+Subject: [PATCH] all: update the syscall table for Linux v6.7-rc3
+
+Signed-off-by: Paul Moore 
+Signed-off-by: Tom Hromatka 
+---
+ include/seccomp-syscalls.h | 17 +
+ src/syscalls.csv   | 12 +---
+ 2 files changed, 26 insertions(+), 3 deletions(-)
+
+diff --git a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h
+index ee467183..611c78db 100644
+--- a/include/seccomp-syscalls.h
 b/include/seccomp-syscalls.h
+@@ -276,6 +276,7 @@
+ #define __PNR_renameat-10242
+ #define __PNR_riscv_flush_icache  -10243
+ #define __PNR_memfd_secret-10244
++#define __PNR_map_shadow_stack-10245
+ 
+ /*
+  * libseccomp syscall definitions
+@@ -401,6 +402,8 @@
+ #define __SNR_cacheflush  __PNR_cacheflush
+ #endif
+ 
++#define __SNR_cachestat   __NR_cachestat
++
+ #define __SNR_capget  __NR_capget
+ 
+ #define __SNR_capset  __NR_capset
+@@ -595,6 +598,8 @@
+ 
+ #define __SNR_fchmodat__NR_fchmodat
+ 
++#define __SNR_fchmodat2   __NR_fchmodat2
++
+ #ifdef __NR_fchown
+ #define __SNR_fchown  __NR_fchown
+ #else
+@@ -717,14 +722,20 @@
+ 
+ #define __SNR_futex   __NR_futex
+ 
++#define __SNR_futex_requeue   __NR_futex_requeue
++
+ #ifdef __NR_futex_time64
+ #define __SNR_futex_time64__NR_futex_time64
+ #else
+ #define __SNR_futex_time64__PNR_futex_time64
+ #endif
+ 
++#define __SNR_futex_wait  __NR_futex_wait
++
+ #define __SNR_futex_waitv __NR_futex_waitv
+ 
++#define __SNR_futex_wake  __NR_futex_wake
++
+ #ifdef __NR_futimesat
+ #define __SNR_futimesat   __NR_futimesat
+ #else
+@@ -1075,6 +1086,12 @@
+ 
+ #define __SNR_madvise __NR_madvise
+ 
++#ifdef __NR_map_shadow_stack
++#define __SNR_map_shadow_stack__NR_map_shadow_stack
++#else
++#define __SNR_map_shadow_stack__PNR_map_shadow_stack
++#endif
++
+ #ifdef __NR_mbind
+ #define __SNR_mbind   __NR_mbind
+ #else
+diff --git a/src/syscalls.csv b/src/syscalls.csv
+index ea13a0eb..b0da8e6e 100644
+--- a/src/syscalls.csv
 b/src/syscalls.csv
+@@ -1,4 +1,4 @@
+-#syscall (v5.17.0 
2022-04-05),x86,x86_64,x32,arm,aarch64,mips,mips64